Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Any client device, such as a desktop personal computer (PC), laptop, personal data assistant (PDA) or mobile phone, can be at risk from malware.
When a device is infected by malware the user will often notice unwanted behaviour and degradation of system performance as the infection can create unwanted processor activity, memory usage, and network traffic. This can also cause stability issues leading to application or system-wide crashes. The user of an infected device may incorrectly assume that poor performance is a result of software flaws or hardware problems, taking inappropriate remedial action, when the actual cause is a malware infection of which they are unaware.
Detecting malware is challenging as the malware authors design their software to be difficult to detect, often employing technology that deliberately hides the presence of malware on a system, i.e. the malware application may not show up on the operating system tables that list currently running processes.
Client devices make use of anti-virus applications to detect and possibly remove malware. An anti-virus application can make use of various methods to detect malware including scanning, integrity checking and heuristic analysis. Of these methods, malware scanning involves the anti-virus application examining objects such as files for a virus fingerprint or “signature” that is characteristic of an individual malware program.
When an object is scanned, several operations are performed in sequence. Initial operations are simple and quick checks that can be used to rule out the possibility of the object being malware. Examples of operations performed early in the sequence include comparing checksums, file header information, number of file sections and other file properties that typically differ between clean and infected objects. By performing these operations in sequence, the scan becomes quicker, as an object can be discounted before more detailed scanning of the object is required.
Many anti-virus applications store a result of a scan in a cache to ensure that a clean file is only scanned once. However, each time a database of signatures is updated, the cache must be flushed as there is no way of knowing which cached scan results are no longer valid in the light of the new signatures. This means that all files must be rescanned after each database update, which is time consuming and uses processor resources.